Archive

While doing a security assessment a password hash was recovered using responder.py, we then attempted to crack the hash using Hashcat and the hate_crack script and failed to recover this hash. We were later successful in getting domain admin level access using another method and using CrackMapExec we were able to use Mimikatz to recover the clear text password from the memory of the user’s computer. We found that it consisted of two words separated by a number and was 12 characters long. It didn’t fit any of the Pathwell Top 100 Mask Brute Force Crack methods. The mask was ?u?u?d?l?l?l?l?l?l?l?l?l

This is a very common and logical pattern that many people use.

I could just add this mask to the existing Pathwell masks, and this would work taking about 3 days with 4 Nvidia Geforce GTX 1080s. But it would be more efficient to use a modified combinator attack, which would work in many more instances. Hashcat allows you to add a rule to each side of the combinator attack using the -j and -k flags, this allows you to append a character to each side of the combinator attack. As far as I can tell though there is no way to simulate a mask with one run, so I added two new methods to the hate_crack script. The first method I am calling the Middle combinator attack.It is simple:

Dict1 + masks + Dict2

Where the masks are: 2 4 <space> – _ , + . &

I chose these as I have found these are common characters to separate two words.

The second method I am calling the Thorough Combinator Attack. It runs through many different combinator attacks using different masks. Currently, it uses the following methods:

Ransomware has been in the news lately, with one of California’s community colleges having recently fallen victim to it. If you are not familiar with the term, ransomware is a type of malicious malware.

It encrypts the content of your hard drive and demands that you pay a ransom to regain access to your data. If you don’t contact the criminals and pay the ransom within a set time period, your files are lost forever.

Ransomware uses extremely strong, unbreakable encryption and there is no getting around it – you either pay the ransom or you can write off your files.

The first modern ransomware malware was released in 2006 and since then the occurrences of malware has exploded. There are many reasons for this but chief among them is the rise of anonymous currency, such as bitcoin.

In the beginning criminals used credit card processors and wire transfers to get the ransoms from victims, but this put them at a bigger risk of getting caught and the banks would frequently seize their ill-gotten loot. With bitcoin it is much harder to stop the criminals as there is no central bank that can freeze the payments and assets of the criminals.

Big Business

Ransomware is big business. A CNN report estimates that ransomware was on pace to have earned criminals $1 billion last year.

These criminal organizations are run like a real business. Some will go so far as to provide 800 numbers where victims can both negotiate the ransom and get tech support on how to pay the criminals with bitcoin. They will base their ransom on what they think the victim can pay. So a family computer may face a ransom of a few hundred dollars while a large business may face a multi-thousand dollar ransom. The criminals also have automated systems that will automatically send the victims the decryption key and instructions after paying the ransom.

Prevention Is Best Defense

So how do you prevent being the victim of ransomware? By taking the same precautions you would take to prevent regular malware.

The criminals will usually use social engineering to get you to open a file – typically in the form of phishing. They will send you an email with a believable story about why they are contacting you, and instruct you to look at an attachment for further information. This type of phishing attack can take many forms and you can read more in our previous article.

The other vectors of infection are through un-patched internet browsers and plug-ins such as Flash and Adobe Acrobat Reader. It is important to keep all of your software up to date as new security vulnerabilities are discovered every day.

Ransomware can spread through a network as well, so it is important if you have an administrative-privileged account that you don’t use this account to browse the internet. You should have a separate, unprivileged account that you use on a daily bases, and only use the administrative account when doing tasks that require it.

Backup Your Data

The main takeaway is you should always backup your important files, with at least one backup being an offline backup. For example, if you have an external hard drive that you regularly use to backup your data and you get ransomware, chances are the external drive will also be impacted.

If you backup to both a hard drive and an online backup service such as Backblaze or CrashPlan then you will be in much better shape as the online services support what is called versioning. Versioning keeps multiple copies of the data when files change. Also, as of now there isn’t any known strain of ransomware that attempts to delete third-party online backups.

The safest method, by far, is doing a weekly backup to an external hard drive that you keep disconnected from your computer when not in use. This drive should only be attached as long as needed to backup your files.

Following these precautions should save you the painful decision of whether or not to pay a ransom to get access to all of your precious, and often irreplaceable, files.

The internet is a wide open space and, much like the real world, contains the greatest and the darkest of things. This blog will focus on the best browsing practices to protect yourself on the internet.

There are a thousand and one products out there that promise to keep you safe online, and they all work to varying extents, but the best protection is situational awareness and best practices. Much like you wouldn’t walk down a dark alley at midnight in the highest crime area of a city, you shouldn’t go wandering into the dark depths of the internet.

Be Safe On Social Media

Let’s start with best social media practices. It is best practice to not publicly post your information, but if you do, following these guidelines will help keep you safe:

Double check your privacy settings. Are you sharing more than you think?

Think before you post: Would you be embarrassed if this picture or post was viewed by your mother or your boss? If so, you probably shouldn’t post it.

If you are going to be leaving on vacation, don’t post this type of information publicly. Criminals have been known to search social media to find targets to burglarize.

Don’t “friend” strangers. Criminals have been known to friend people so they can view the information they post on social media. This information can help them steal accounts with easily guessed password-recovery questions.

Be guarded with the information you post. If you see a survey full of personal questions like your mother’s maiden name, first pet, first car, street you grew up on, first job, etc., don’t fill these out. These are all common questions used for password resets.

If you are doing online dating, pick a random handle, not one you use anyplace else – and not your real name. You should also not post pictures with identifiable places where you commonly hang out. The internet has its share of creeps and this information can help them find you, especially in smaller communities.

Talk to your kids about the safe use of social media. In this day and age it is important that they know how to stay safe online.

Avoid Downloads

Another big one is, don’t download software from peer-to-peer or other dodgy sites. Software can be expensive but illegally downloading is not only illegal, it’s dangerous.

It is easy to add Trojan virus and malware to seemingly legitimate software. Sure, the latest version of Photoshop may work just fine when you install it after downloading it off the Pirate Bay but it is very likely you also just installed ransomware, and it will cost you more in the long run. Only purchase your software from legitimate sources.

Don’t open documents in an email, instant messenger or text message, unless you are expecting them, even if it is from someone you know. This is another large vector for malware infection.

Word documents, Excel files, PDFs and other files can contain what is called a macro virus. These are programs inside the files that can be used to install malware on your computer. Once an attacker infects a computer they will send out messages to everyone in the person’s contact list with a virus attached. These have even been seen on mobile phones, mainly on Android devices, which for a variety of reasons tend to be the least secure.

Browse Safely

Keep your browsing software up to date. Browsers have become much better at this, with Firefox and Chrome automatically updating themselves. To be on the safe side, go into the menu option and check to see if your browser is up to date. If you are an Internet Explorer or Safari user, be sure that you are installing all the latest patches from Apple and Microsoft. Older browsers often have vulnerabilities that can be exploited just by visiting a malicious website.

Use an ad blocker. There is a large overlap with ad networks and malware. This is often called malvertising. Malicious code finds its way into ad sites on a regular basis because criminals know that by compromising an ad site they will be able to infect a large number of browsers. If you block these sites you avoid the ads, and the risk.

If you’re not familiar with the term phishing, it is an attempt to fraudulently obtain sensitive information such as account login and passwords, Social Security numbers, credit card numbers, account numbers, etc.

The most common form of phishing is through the use of email, but it can also happen over the phone. Phishing has become one of the most – if not the most – common ways criminals obtain sensitive information. As IT departments have locked down computer systems, attackers have found that humans are often the weakest link in the security chain. Why spend hours trying to find a way to break into a computer when you can just ask the human using it to provide the information you want?

The common thread in phishing is the attackers will try and come up with a believable scenario and ask you to do something. This may be as simple as them emailing you a link asking you to reset your email password, and when you click on the link you go to a website that looks just like the real one. Except it isn’t.

Cloning a website has become an easy process for an attacker to do. There are easily obtainable tools to copy websites, for example gmail.com. Some techniques even forward you on to the real website so you don’t become suspicious when your login doesn’t work.

Sophisticated Attacks

Unfortunately, there isn’t an easy solution to this problem. As time has gone on the attacks have become more and more sophisticated. Long gone are the days when phishing attempts used poor grammar and punctuation, which served as a red flag to alert you that something wasn’t quite right about that email asking you to reset your bank account password.

Now, we see ever more sophisticated and pointed attacks, often referred to as spear phishing. The attacker will find out the names of the most important individuals, the college president for example. They will then find who reports to these executives and impersonate them with requests.

An example of a college that fell prey to this scheme involved an attacker that impersonated the president. They asked an employee in payroll to send them the W2s of the college’s employees so they could review them. The employee, not wanting to question or upset who they perceived as their superior, complied with the request, and sent the attacker copies of the employees’ W2s.

In general, though, here are some tips to avoid being the victim of phishing scams:

An IT department should never ask you to reset your password through email.

An IT department should never ask you for your password over the phone.

You should never send any sensitive information through regular email. This includes Social Security numbers, credit card numbers, account numbers, and any documents that include these. Email is not encrypted and should never be used to send and receive such sensitive information.

Don’t open documents you are not expecting to receive, and if you are ever asked to enable macros after opening a document don’t do it. This is a common way an attacker will try and infect your computer with malware.

Never go to your bank’s website by clicking on a link from an email, as it may be fraudulent.

If you receive a message that doesn’t look right to you, report it to your local IT department.

Password. That’s a cringe-inducing word. What a pain; you constantly need to change your passwords. You have to use mental gymnastics to remember all of them, and don’t get me started on special characters. I hate passwords.

Yes, I am the Chief Information Security Officer of a large organization, and I can admit I hate passwords just as much as anyone else. Now, I know they are extremely important but, in my opinion, they are often mismanaged.

When IT administrators put so many restrictions on passwords, we actually drive people to even more dangerous practices—like writing down your passwords on a sticky note, and using the same password for all the things we log in to. Although often-hated passwords are a necessity, I would like to explore passwords and prove the pain can be eased.

Password vs. Passphrase

First, let’s take a look at password complexity. The default Microsoft Windows password policy requires eight characters, including one uppercase letter, one lowercase letter, one number and one special character. By this rule, “Password1!” is an acceptable password. Unfortunately, from past experience, this is exactly the kind of password I see being used. It follows the pattern: an English word, a number, and a special character, in that order.

Explaining the reasons why this approach is unsafe will be the subject of another article but rest assured, with this type of password, if there is a security compromise, the attacker can often get the plain-text password of a large majority of an organization.

A much better approach to ensuring password security is to remove the complexity requirements and instead require much longer passwords called “passphrases”. I know what you are saying. “I have to remember a longer password and that is better!?!?” Hear me out: Yes, it is. A passphrase is easier to remember.

Think about it. Which would be easier to remember, the password, “HaRdS1#!”, or the passphrase, “I like the flowers in the springtime?” I think we can all agree the second one is much easier to remember, because this is how our brains are wired. A plain-English phrase is something we have been memorizing since childhood.

Something that is not obvious unless you are a mathematician is that the passphrase is also much more secure. It is harder to break once the password is scrambled into the form it is stored on the computer. An attacker can brute force an eight-character password in just about a day, but a 15-character passphrase would take a near infinite time with the computer power available today.

Passwords In Practice

Now, let’s take a look at password re-use. I know it is tempting to come up with a good password and use it on all the websites we use. This is a dangerous practice because websites are being breached on a daily basis, and passwords are not always stored securely. There have been many large sites that have had breaches with all their user accounts compromised and publicly posted on the web.

Take a look at the website haveibeenpwned.com. This site will show you if your account has been compromised by some of the more recent public breaches. The danger is that once your email address and password are exposed, criminals can use it to try to log in to other sites. For example, if your Dropbox password is the same one you use for online banking then you should change it immediately, as Dropbox had a breach back in 2012 that has just now been discovered.

This is why I recommend the use of a password manager. The one I use is LastPass but there are several excellent ones out there. The idea of a password manager is that it will generate a unique random password for each website that you need to log in to. There is one master password that you need to remember to unlock all the other passwords. This password is used to encrypt all the passwords so they are only ever useable once you have unlocked them with your master password.

Therefore, a password manager lets you have unique passwords for each site while only needing to remember one password. If one of your accounts is ever compromised, the attacker won’t be able to use your password on another site to perform some nefarious activity. All you have to do is visit the site that was compromised and use the password manager to create a new secure, random password.

Two Steps Are Better Than One

Finally, let’s look at two-factor authentication. Two-factor authentication uses something you have, which can be a device you plug in to your computer, a text message that is sent to your phone, or an application on your phone, to authenticate.

This, in my opinion, is the ultimate solution. You can let everyone use a much easier-to-remember shorter password, and if it is ever compromised the attacker still can’t get into a system without the device that you carry with you.

For example, someone gets your username and password for your bank account, but you have two-factor authentication set up. So, now when the attacker tries to log in to your bank account, you get a notification on your phone that someone is trying to log in to your bank account, and the mobile app asks you to press the “Confirm login button” to allow the login to continue.

Since you are not trying to log in to your bank account, you would just click “No” on an app, and go change your bank password. With the disaster averted, you can now contact your bank and report the incident, knowing your hard-earned money is still safe.

I have been asked many times, “What are reasonable security controls?” This is a hard question to answer, as what I consider to be reasonable isn’t what others would. As an information security officer, I tend to be very risk-averse.

After all, information security is what I refer to as a “weak link” problem. What I mean by that is it only takes one weak link for an attacker to be able to gain a foothold into a network.

Until recently, there were no California-specific regulations or legal opinions to be able to point to about how to prevent network attacks. There are of course the California data security breach notification laws—the first of their kind in the nation—that explain what an institution has to do after a breach occurs. However, there was nothing that said how you should be protecting the data that you are collecting in the first place.

That finally changed this year when the State Attorney General of California published the 2016 California Data Breach Report. In the report, Attorney General Kamala Harris gives a set of five recommendations to prevent the most common breaches, thus finally giving us a legal definition of “reasonable security controls.”

First Line Of Cyber Defense

The attorney general’s first recommendation is to implement the Center for Information Security’s Controls for Effective Cyber Defense, also known as the CIS Critical Controls. The CIS Critical Controls consist of 20 control categories, each with a subset of controls. They are very straightforward and easy to follow. I would encourage everyone to download and read them.

These controls really do work and this should now be the standard that you are working on implementing at your college. The controls are prioritized in order of importance, and if you are implementing them you should start with number one and work your way down.

You will quickly realize that, to be able to implement these controls properly and still maintain the openness of a college campus, you may need to do some re-architecting. Take for example the first control, “Inventory of Authorized and Unauthorized Devices”: If you look at a typical college campus, there are many hundreds if not thousands of devices that come and go in a single day. It is nearly impossible to be able to know what every device is and who is using it.

However, if your network is properly segmented into different trust levels then the problem becomes a lot easier to tackle. You should be able to securely configure your network to disable free access in the most secure segments, where each device needs to be registered and tightly controlled, and block access to outside devices.

New Legal Security Standard

There could also be added liability if your institution isn’t at the very least working toward implementing the CIS Critical Controls. This will now become the gold security standard for the state of California, and in effect becomes the de facto civil law of California, until such time as the state legislature decides to formally weigh in on this subject.

If the California Data Security Breach Reporting law is any indication, other states attorneys general may follow suit and release similar opinions on data breach prevention. So if your institution is breached in the future and the CIS Controls are not in place, a resulting lawsuit could bring the possibility of increased civil fines. The judge may see the lack of implementing the CIS controls as negligent. I do not claim to be a lawyer and you should ask your district’s general counsel for their take on the liability aspect of not implementing the attorney general’s recommendations.